|
|||
VPN Nat issue on 4.8
Hi all,
Hope to post my question in the right place. I 've upgraded my 2 fw from 4.6 ->4.7->4.8 Now I have a problem with a VPN that use the nat to reach the remote site. with the 4.6 version everything worked fine, but after the upgrade and the nat rule conversion the VPN came up and run, but retrive a lot of error in daemon log. My ipsec conf is the following (It's the same that i used in 4.6 version) Quote:
My pf.conf is the following: Code:
lan1 = "172.16.1.0/24" lan2 = "172.29.128.96/27" lan3 = "172.20.44.224/27" lan4 = "172.20.43.192/27 " lanremote="10.0.0.0/8" natvpn= "172.16.196.16/28" fwremote= public ip address remote intvpn= my public ip address match out on enc0 from { $lan1, $lan2, $lan3, $lan4 } to $lanremote nat-to $natvpn source-hash #VPN section pass in quick on $ext inet proto udp from $fwremote to $intvpn port 500 pass out quick on $ext inet proto udp from $intvpn to $fwremote port 500 # # pass in quick on $ext inet proto esp from $fwremote to $intvpn pass out quick on $ext inet proto esp from $intvpn to $fwremote # ENC0 VPN interface ################################################################################# # block in on enc0 all block out on enc0 all block return-rst in on enc0 proto tcp all block return-rst out on enc0 proto tcp all # # pass in quick on enc0 proto ipencap from $fwremote to $intvpn pass out quick on enc0 proto ipencap from $intvpn to $fwremote # # # pass out quick on enc0 inet proto { udp, tcp, icmp } from $natvpn to $lanremote pass in quick on enc0 inet proto { udp, tcp, icmp } from $lanremote to $natvpn The errors I retrive periodically in daemon log are: Quote:
I know that my ipsec.conf seems strange because I put the lan ip address and not the nat ip to create the tunnel, but with the 4.6 it worked fine the only rule that I used and now in 4.8 I 've removed is: Code:
no nat on $ext from $natvpm to $lanremote Any help well be very appreciated. Thank you in advance Last edited by J65nko; 11th April 2011 at 04:01 PM. Reason: [code] and [/code], [quote] and [/quote] tags added |
|
|||
Are you sure http://openbsd.org/faq/upgrade47.html#hmac-sha2 is not affecting you?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thank you for your reply
I think that this is not the case, in my ipsec.conf i don't use hmac-sha2 protocol. In meantime I' ve find the solution to the error: Apr 8 16:20:37 fire1 isakmpd[18227]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.0.0.0/255.0.0.0, responder id 172.16.196.16/255.255.255.240 Apr 8 16:20:37 fire1 isakmpd[18227]: dropped message from <remotefw> port 500 due to notification type INVALID_ID_INFORMATION I added also the nat ip address in the ipsec.conf: ike esp from { 172.16.196.16/28, 172.16.1.0/24, 172.29.128.96/27, 172.20.44.224/27, 172.20.43.192/27 } to 10.0.0.0/8 local <myfw_pub_ip> peer <remotefw_pub_ip> \ main auth hmac-md5 enc 3des quick auth hmac-md5 enc 3des group none psk XXXXXXXXXX and I've tried to change the modp1024 with none to fix the second error, it seems work fine, but sometime appear still an error: isakmpd[27703]: message_parse_payloads: reserved field non-zero: 5 Apr 12 12:06:39 fire1 isakmpd[27703]: dropped message from <remotefw> port 500 due to notification type PAYLOAD_MALFORMED |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
gdm/ new monitor issue | jimbus | FreeBSD General | 3 | 4th August 2009 07:39 PM |
4.5 -current issue | roundkat | OpenBSD Installation and Upgrading | 11 | 28th February 2009 02:11 PM |
FFS permission issue | marc | OpenBSD General | 2 | 2nd February 2009 07:31 PM |
Possible SMP Issue? | MetalHead | OpenBSD General | 1 | 25th November 2008 03:52 AM |
RAM issue | nikkon | FreeBSD General | 5 | 7th May 2008 04:26 AM |